Komodo Bug Found: How We Defeated An Attack

Komodo has just gone through a small emergency caused by an attacker trying to exploit a bug he found. The attacker didn’t cause any real damage as our team responded quickly.

The attack started during the weekend and lasted about 30 hours before one of our notary nodes detected it. We quickly pushed a fix that was going to go into effect at Komodo block # 236000. At this point, the attacker had only been creating few coins to avoid detection, and the damage caused was minimal.

The attacker went into overdrive after he saw that a fix was coming. He started to generate as many coins as he possibly could, and that led us to take further action. We publicly announced that we would roll back few hours, and advised everyone not to do KMD transactions until the rollback was done. Here’s how jl777 described the situation:

I announced the block that will be rolled back to, pretty much in real time, so it is more like stopping the chain at 235300 rather than rolling back. Of course, a few hundred blocks were generated during the time to make the fix, so yes, technically it is a rollback of a few hours.

Without the rollback, KMD coin supply would have expanded about 10 % as the attacker would have been able to create over 10 million KMD. We managed to avoid all this by just rolling back a few hours.

These recent events have a lot of similarities with Bitcoin’s early days. Here’s what happened on 6th of August, 2010:

A major vulnerability in the bitcoin protocol was spotted. Transactions weren’t properly verified before they were included in the transaction log or blockchain, which let users bypass bitcoin’s economic restrictions and create an indefinite number of bitcoins. On 15 August, the vulnerability was exploited; over 184 billion bitcoins were generated in a transaction and sent to two addresses on the network. Within hours, the transaction was spotted and erased from the transaction log after the bug was fixed and the network forked to an updated version of the bitcoin protocol. This was the only major security flaw found and exploited in bitcoin’s history.

The difference is that bitcoin knew about it for over a week, while we found out about it when the attack was already under way. This attack is not comparable with a typical hack where an exchange loses funds. In our situation, the bug was in Komodo code and considering its implications a rollback was the logical thing to do to avoid damage.

Komodo is still a young project and has a lot of new code built on top of it. The quicker these bugs are found, the less effect they will have. The longer Komodo blockchain keeps running, the less likely that further such bugs are found in the future.

We continue to closely follow our network and promise to quickly respond in a similar manner to any possible future incident.